Replies

The big seller for Machine Authentication is your machine (pc) gets authenticated to the network at start up. Meaning it gets on the network so that your users can then logon with their credentials. This is normally doen with GINA or a supplicant.

Yeah, I get that. What about using them both together. So lets say that the macine authenticates so that it can download any machine policies from AD and then the user logs in and it re authenticates to the wireless. Is there any value it that, or is it over complicating things. Here are the scenerios.

1) We don't want users being able to use personal devices, so using user authentication is out.

2) we have some company devices that can't join a domain, like ipads, so user authentication is in...

I realize that I could create 2 seperate SSIDs for these situations... So maybe do one with machine authentication for the company AD devices and then user authenication for the non AD devices?

then there is the issue if the device is stolen, then what do we do? They don't want a stolen device to be able to attach to the wireless network. that is why I ask the question of using both user and machine authenication... but now that I think about it, we could just kill the stolen device out of AD or something and that should take care of it.

Besides, on Windows 7, there is an option to use User or machine authentication. As I watch my radius logs, it looks like it does machine auth first and then reauthenticates using the user name. Tying to determine if that has any benefit or not.

Well since you have both domain computers and no domain devices, then you are on the right track. You shoul have two ssid's if you ask me, so that you can map the ssid for non-domain devices to a vlan you can filter better. As for Windows 7 using User or Computer.... that means both. You will need to have a user and computer certificate in order to choose this setting. With certificates for user and computers, you can always revoke the certificate and remove the user from AD or the OU. Even if you have User and Computer and the device gets stolen, well.... until you remove the computer or user, that device will be able to get on the network. So it will be how fast the user tells you he or she has lost their laptop and how long it takes for them to remove the user or computer from AD. WIndows 7 along with Vista does have a setting to allow the computer to access the network before the login prompt is presented to the user.

So really then, there isn't a whole lot of benefit of trying to force both user and machine authentication on the same SSID. Is that right? I would also think that if you allowed the machine have access by group, if its stolen, then you could just remove it from the group. Plus, the thief would still need an AD acct which they may or may not have, depending on who it is. But if its stolen and there is not a local profile on the machine and the machine is not on our network, they still wouldn't get on. The danger is really only if the thief is an employee that may also have credentials or has stolen credentials.

Like I say, I just may be overly paranoid, but my security hat tends to get me to think that way. The main point is to keep peple from bring their own personal devices in and attaching. I think I have mitigated that. I am just trying to think of any other scenerios while I am thinking about it.

Machine Auth means the computer can get on the network before a user logs on - this means people that don't have locally cached profiles can log onto tthe machine as it is on the network and domain. It also means that login scripts etc can run during logon. On XP at the wireless re-auth period it will switch to user cert (depending on what registry for computer is of course) - windows 7 it reauths as user straight away at logon. User cert only will mean that the machine will not be on the network or domain at logon prompt restricting the use to cached users.

Way I see it are two sensible options are only use machine auth for network access (wireless or DOT1X on wired) and then user credentials against AD for services access - or use both machine and user as described above. I wouldn't just have user certs as its too restrictive - but depends what you want to see in your logs...

I was introduced to it at CiscoLive. It is definately something I am going to look into further. The main question regarding ISE is how mature is it as a product. Its obviously new and I know its supoosed to be some kind of combo of NAC and ACS.